philip_clarke Wrote:
-------------------------------------------------------
> To be effective against this type of vector,
> PHP-IDS etc.. now needs to take into account all
> of the libraries methods and constructs such as
> jQuery, mootools etc...

Not necessarily...
Did you try to use that vector cross-site with NoScript installed?
e.g. http://noscript.net/?p='%27%2CjQuery%28%22.fred%22%29.html%28%2F%40thrill+you+have+community+work+to+do%2F%2B%2F+%26+%40sirdarckcat+I+would+not+stoop%2F%29%3B%27a ?
:)

> if you are going to attempt to show off sirdarckcat you may want to use a vector that passes through php-ids

lol, that's possible, but I'm not in the mood to bypass those.. I will now declare that I have an imaginary potential (and copyrighted under imaginary laws) bypass and I can also make it evade noscript (in what you failed.).

The fact that I can find such bypass (even if I havent) can be confirmed by .mario & ma1, (I dont even need to find it, they trust I can).

Anyway, I congratulate you for finding a bypass on PHPIDS, hopefully you can reduce those 3 hours for the next time, since thats way too slow.

@philip_clarke:
NoScript by default is tuned to check for injections only when it's necessary, i.e.:

1. The request must be cross-site (this can be overridden by setting noscript.injectionCheck to 3, which will cause NoScript to check every request, even same-site)

2. The target site must be Javascript-enabled (XSS won't work anyway if it's not). Of course, some "dangerous" HTML injections are checked also if the target is not Javascript-enabled yet, as sirdarckcat showed you, and if you allow the site after the request it gets checked during the reload.

3. The target site must not match any of the exceptions listed in NoScript Options|Advanced|XSS. This includes by default Google Search, Yahoo! Search and Wikipedia articles, because they're likely to contain sensible patterns, (especially if user is a coder), but are proven to be safe. Of course you can remove them, if you feel like that.

All the cases you reported as false negative were either same-site (not XSS) or non-whitelisted target (injection won't run).
The noscript.net site triggers because it's included in the default whitelist shipping with NoScript, therefore if it was vulnerable it would need to be protected.

philip_clarke Wrote:
-------------------------------------------------------
>isn't that then a partial implementation then
> [...]
> How far does "the trust
> go ?", doesn't trust html vectors but does trust
> script based vectors ?

I'm not sure about what you mean exactly.
NoScript features a full (not partial) anti-XSS protection against type 0 and type 1 XSS.
Since XSS means "cross-site scripting", there's no reason to check same-site requests or requests landing on sites where scripting is not allowed (and where the attack is doomed to fail anyway).

However NoScript goes beyond this, by checking HTML injections (e.g. <form>, <meta> or <style> which can be used for scriptless phishing purposes) on sites where scripting is not allowed, and by giving users the option to check also same-site requests.

Therefore, rather than "partial", I'd say this is a complete implementation with extras...

Using javascript from a site itself has been done long time ago, I wrote about it too, plus YouTube was vulnerable 2 years ago to this. Reported, got fixed. That's about it, nothing new, nothing exotic, nothing to protect other than fixing bugs by those who program the damn thing.